[v16] Adds tctl desktop bootstrap, updates docs.

CHANGELOG.md

@@ -1036,9 +1036,9 @@ Remote Desktop Services > Remote Desktop Session Host, enable:
    designed for Windows Server 2008 R2 SP1
 1. Remote Session Environment > Limit maximum color depth
 
-Detailed instructions are available in the [setup
-guide](docs/pages/desktop-access/active-directory-manual.mdx#enable-remotefx). A
-reboot may be required for these changes to take effect.
+Detailed instructions are available in the
+[setup guide](docs/pages/desktop-access/active-directory.mdx#enable-remotefx).
+A reboot may be required for these changes to take effect.
 
 #### `tsh ssh`
 

api/client/client.go

@@ -3442,6 +3442,14 @@ func (c *Client) DeleteAllWindowsDesktopServices(ctx context.Context) error {
 	return nil
 }
 
+func (c *Client) GetDesktopBootstrapScript(ctx context.Context) (string, error) {
+	resp, err := c.grpc.GetDesktopBootstrapScript(ctx, &emptypb.Empty{})
+	if err != nil {
+		return "", trace.Wrap(err)
+	}
+	return resp.GetScript(), nil
+}
+
 // GetWindowsDesktops returns all registered windows desktop hosts.
 func (c *Client) GetWindowsDesktops(ctx context.Context, filter types.WindowsDesktopFilter) ([]types.WindowsDesktop, error) {
 	resp, err := c.grpc.GetWindowsDesktops(ctx, &filter)

api/proto/teleport/legacy/client/proto/authservice.proto

@@ -1551,6 +1551,12 @@ message WindowsDesktopCertResponse {
   bytes Cert = 1;
 }
 
+// Response message for GetDesktopBootstrapScript.
+message DesktopBootstrapScriptResponse {
+  // The PowerShell script content.
+  string Script = 1 [(gogoproto.jsontag) = "script"];
+}
+
 // ListSAMLIdPServiceProvidersRequest is a request for a paginated list of SAML IdP service providers.
 message ListSAMLIdPServiceProvidersRequest {
   // Limit is the maximum amount of resources to retrieve.
@@ -3220,6 +3226,8 @@ service AuthService {
   rpc GenerateWindowsDesktopCert(WindowsDesktopCertRequest) returns (WindowsDesktopCertResponse);
   // GenerateCertAuthorityCRL creates an empty CRL for the specified CA.
   rpc GenerateCertAuthorityCRL(CertAuthorityRequest) returns (CRL);
+  // GetDesktopBootstrapScript returns a PowerShell script to bootstrap Active Directory.
+  rpc GetDesktopBootstrapScript(google.protobuf.Empty) returns (DesktopBootstrapScriptResponse);
 
   // CreateConnectionDiagnostic creates a new connection diagnostic.
   rpc CreateConnectionDiagnostic(types.ConnectionDiagnosticV1) returns (google.protobuf.Empty);

docs/config.json

@@ -1765,8 +1765,8 @@
           "slug": "/desktop-access/getting-started/"
         },
         {
-          "title": "Active Directory (Manual)",
-          "slug": "/desktop-access/active-directory-manual/"
+          "title": "Active Directory",
+          "slug": "/desktop-access/active-directory/"
         },
         {
           "title": "Access Controls",
@@ -2303,6 +2303,11 @@
       "destination": "/access-controls/sso/",
       "permanent": true
     },
+    {
+      "source": "/desktop-access/active-directory-manual/",
+      "destination": "/desktop-access/active-directory/",
+      "permanent": true
+    },
     {
       "source": "/aws-terraform/",
       "destination": "/deploy-a-cluster/deployments/aws-ha-autoscale-cluster-terraform/",

docs/pages/desktop-access/active-directory-manual.mdx → docs/pages/desktop-access/active-directory.mdx

@@ -45,7 +45,36 @@ To complete the steps in this guide, verify your environment meets the following
 
 - (!docs/pages/includes/tctl.mdx!)
 
-## Step 1/7. Create a restrictive service account
+## Option 1: Automated configuration
+
+For relatively simple Active Directory environments, you can use the `tctl` generated configuration script
+to bootstrap your Active Directory domain for use with Teleport. At a high level, the script does the following:
+
+1. Create a restrictive service account named `Teleport Service Account` with the SAM account name `svc-teleport` and create the necessary LDAP containers.
+1. Prevent the service account from performing interactive logins by creating and linking a Group Policy Object (GPO) named `Block teleport-svc Interactive Login`.
+1. Configure a GPO named `Teleport Access Policy` to allow Teleport connections, including:
+   - Importing the Teleport CA certificate.
+   - Configuring firewall rules.
+   - Allowing remote RDP connections.
+   - Enabling RemoteFX for improved remote desktop performance.
+1. Read the LDAP CA certificate (required for secure LDAPS connections).
+1. Generate a Teleport configuration file for the Windows Desktop Service.
+
+For more complex Active Directory environments, you may need to modify the generated script to meet your specific requirements.
+It may also be easier to comprehend what the script does by following the manual configuration steps below.
+
+To use the `tctl` generated configuration script, run the following command:
+
+```bash
+# Generate the script and save it to a file named configure-ad.ps1.
+tctl desktop bootstrap > configure-ad.ps1
+```
+
+After generating the script, transfer it to a Windows domain controller and run it in a PowerShell console.
+
+## Option 2: Manual configuration
+
+### Step 1/7. Create a restrictive service account
 
 Teleport requires a service account to connect to your Active Directory domain.
 You should create a dedicated service account with restrictive permissions
@@ -130,7 +159,7 @@ To create the service account:
    You'll use this value for the `sid` field when you configure the `ldap` settings
    in a later step.
 
-## Step 2/7. Prevent the service account from performing interactive logins
+### Step 2/7. Prevent the service account from performing interactive logins
 
 The next steps modify group policy objects (GPOs). Changes to group policies
 can take time to propagate to all hosts. You can force changes to take effect
@@ -144,7 +173,7 @@ You can prevent the service account from being used to log on by creating a new
 Group Policy Object (GPO) linked to your entire domain, and then denying interactive
 logins.
 
-### Create a GPO
+#### Create a GPO
 
 1. Open PowerShell and specify a name for the new group policy object with the `$GPOName` variable:
 
@@ -158,7 +187,7 @@ logins.
    New-GPO -Name $GPOName | New-GPLink -Target $((Get-ADDomain).DistinguishedName)
    ```
 
-### Deny interactive login
+#### Deny interactive login
 
 1. Open **Group Policy Management** and expand **`Forest > Domains > $YOUR_DOMAIN > Group Policy Objects`**
    to locate the group policy object you just created.
@@ -185,7 +214,7 @@ logins.
   If you disable username and password authentication, only the Teleport virtual smart
   card can be used to access Windows computers in the domain.
 
-## Step 3/7. Configure a GPO to allow Teleport connections
+### Step 3/7. Configure a GPO to allow Teleport connections
 
 To enable access to Windows desktop sessions through Teleport, you must configure a
 group policy object that allows Windows computers to trust the Teleport certificate
@@ -203,7 +232,7 @@ You need to do the following to configure the group policy object:
 
 You must repeat these steps if you rotate the Teleport user certificate authority.
 
-### Export the Teleport certificate
+#### Export the Teleport certificate
 
 To export the Teleport user CA certificate:
 
@@ -218,7 +247,7 @@ To export the Teleport user CA certificate:
 
 1. Take note of the path to the `user-ca.cer` file for use in a later step.
 
-### Create the GPO for the Teleport certificate
+#### Create the GPO for the Teleport certificate
 
 To configure the group policy object:
 
@@ -266,7 +295,7 @@ To configure the group policy object:
    gpupdate.exe /force
    ```
 
-### Publish the Teleport CA to the Active Directory domain
+#### Publish the Teleport CA to the Active Directory domain
 
 To publish the Teleport certificate in the Active Directory domain:
 
@@ -284,7 +313,7 @@ To publish the Teleport certificate in the Active Directory domain:
    This command enables the domain controllers to trust the Teleport CA so that
    certificate-based smart card authentication through Teleport can succeed.
 
-### Publish the Teleport CA to the NTAuth Store
+#### Publish the Teleport CA to the NTAuth Store
 
 For authentication with Teleport-issued certificates to succeed, the
 Teleport CA also must be published to the enterprise NTAuth store.
@@ -310,7 +339,7 @@ To publish the Teleport CA to LDAP:
    This step isn't strictly required. However, it allows you to proceed to the
    next steps without waiting for the certificate to propagate.
 
-### Enable smart card authentication
+#### Enable smart card authentication
 
 Teleport performs certificate-based authentication by emulating a smart card.
 
@@ -336,7 +365,7 @@ To add smart card authentication to your group policy object:
    gpupdate.exe /force
    ```
 
-### Allow remote desktop connections
+#### Allow remote desktop connections
 
 Next you need to configure policies that allow remote connections to domain computers.
 
@@ -386,7 +415,7 @@ Next you need to configure policies that allow remote connections to domain comp
    gpupdate.exe /force
    ```
 
-### Enable RemoteFX
+#### Enable RemoteFX
 
 To finish configuring the `Teleport Access Policy` group policy object, you must
 enable RemoteFX. RemoteFX is a compression technology that significantly improves
@@ -416,7 +445,7 @@ the performance of remote desktop connections.
    gpupdate.exe /force
    ```
 
-## Step 4/7. Configure a certificate for RDP connections
+### Step 4/7. Configure a certificate for RDP connections
 
 The Teleport RDP client requires secure cryptographic algorithms to make
 TLS connections. However, Windows Server 2012 R2 doesn't support these algorithms
@@ -432,7 +461,7 @@ required algorithms by doing the following:
 If your hosts support the required algorithms, you can skip this step
 and go to [Export your LDAP CA certificate](#step-57-export-your-ldap-ca-certificate).
 
-### Create a certificate template
+#### Create a certificate template
 
 To create a certificate template that uses elliptic curve P-384 and SHA384 as the
 signature algorithm:
@@ -476,7 +505,7 @@ signature algorithm:
 
 1. Click **OK**.
 
-### Update GPO to use a new certificate template
+#### Update GPO to use a new certificate template
 
 To update the Teleport group policy object to use the new certificate template:
 
@@ -504,7 +533,7 @@ To update the Teleport group policy object to use the new certificate template:
    gpupdate.exe /force
    ```
 
-## Step 5/7. Export your LDAP CA certificate
+### Step 5/7. Export your LDAP CA certificate
 
 Teleport connects to your domain controller using LDAPS. This means that you must
 let Teleport know that the certificate sent by your domain controller during the
@@ -531,7 +560,7 @@ To export a CA certificate:
 can either add this certificate to your system's trusted repository or provide
 the file path to the `der_ca_file` configuration variable.
 
-## Step 6/7. Configure Teleport
+### Step 6/7. Configure Teleport
 
 To configure Teleport to protect access to Windows desktops:
 
@@ -586,7 +615,7 @@ To configure Teleport to protect access to Windows desktops:
 
 1. (!docs/pages/includes/start-teleport.mdx service="the Teleport Desktop Service"!)
 
-## Step 7/7. Log in using Teleport
+### Step 7/7. Log in using Teleport
 
 Teleport users must have appropriate permissions to access remote Windows desktops.
 For example, you can create a role that gives its users access to all Windows

docs/pages/desktop-access/introduction.mdx

@@ -66,7 +66,7 @@ For more information about configuring basic access using Teleport Windows
 Desktop Service, see the following topics:
 
 - [Configure access for local Windows users](./getting-started.mdx)
-- [Configure access for Active Directory](./active-directory-manual.mdx)
+- [Configure access for Active Directory](./active-directory.mdx)
 
 ## Further reading
 

docs/pages/desktop-access/troubleshooting.mdx

@@ -22,7 +22,7 @@ Usually, this means that the Smart Card service is not running on the target
 host.
 
 First, make sure that you [enable the Smart Card service in Group
-Policy](./active-directory-manual.mdx#enable-smart-card-authentication).
+Policy](./active-directory.mdx#enable-smart-card-authentication).
 
 If that doesn't help, log into the target host directly, open the "Services"
 program from the "Start" menu and check that the "Smart Card" service is in the
@@ -99,7 +99,7 @@ authentication was not trusted"** (or similar).
 This means that the host does not trust the Teleport CA.
 
 First, make sure that you [import the Teleport CA into Group
-Policy](./active-directory-manual.mdx#create-the-GPO-for-the-Teleport-certificate).
+Policy](./active-directory.mdx#create-the-GPO-for-the-Teleport-certificate).
 Note that if you have rotated the Teleport CA since the last import, you need to
 fetch the new CA using the following command, replacing <Var name="teleport.example.com" />
 with the address of your Teleport cluster:
@@ -125,7 +125,7 @@ Windows host.
 **Solution:** Modify firewall rules to allow inbound RDP traffic
 
 First, make sure that you open the RDP port and [allow remote desktop
-connections](./active-directory-manual.mdx#allow-remote-desktop-connections)
+connections](./active-directory.mdx#allow-remote-desktop-connections)
 in the group policy object you have configured for Teleport connections.
 
 If that does not help, check if the target host is online and try to `ping` it
@@ -352,7 +352,7 @@ This means that the desktop does not support secure cipher suites for TLS
 connections.
 
 Make sure that you [configure a certificate for RDP
-connections](./active-directory-manual.mdx#step-47-configure-a-certificate-for-rdp-connections).
+connections](./active-directory.mdx#step-47-configure-a-certificate-for-rdp-connections).
 
 ### Expired smartcard certificate
 
@@ -384,7 +384,7 @@ Teleport currently requires that NLA is disabled in order to perform its
 certificate-based passwordless login.
 
 To disable NLA, follow the instructions to [allow remote
-desktop connections](./active-directory-manual.mdx#allow-remote-desktop-connections)
+desktop connections](./active-directory.mdx#allow-remote-desktop-connections)
 in the group policy object you have configured for Teleport connections.
 If you are still encountering this error after disabling NLA in Active Directory,
 run the following command from the Windows Command prompt as an administrator

lib/auth/auth_with_roles.go

@@ -6571,6 +6571,11 @@ func (a *ServerWithRoles) GenerateWindowsDesktopCert(ctx context.Context, req *p
 	return a.authServer.GenerateWindowsDesktopCert(ctx, req)
 }
 
+func (a *ServerWithRoles) GetDesktopBootstrapScript(ctx context.Context) (*proto.DesktopBootstrapScriptResponse, error) {
+	// No sensitive information is returned in the bootstrap script.
+	return a.authServer.GetDesktopBootstrapScript(ctx)
+}
+
 // GetConnectionDiagnostic returns the connection diagnostic with the matching name
 func (a *ServerWithRoles) GetConnectionDiagnostic(ctx context.Context, name string) (types.ConnectionDiagnostic, error) {
 	if err := a.action(apidefaults.Namespace, types.KindConnectionDiagnostic, types.VerbRead); err != nil {